1. TLS Is the Modern Encryption Standard (SSL is Older)

In a nutshell: TLS is the encryption everyone uses these days. SSL is antiquated. When people say SSL, they mean TLS!

SSL/TLS Means “Secure Sockets Layer” and “Transport Layer Security”

Transport Layer Security and Secure Sockets Layer (SSL) are both network protocols that allow data to be transferred privately and securely between a web server and a web browser.

Technically, TLS consists of two parts:

The TLS handshake layer manages which cipher (the type of encryption algorithm) will be used, the authentication (using a certificate specific to your domain name and organization), and the key exchange (based on the public-private key pair from the certificate). The handshake process is performed only once to establish a secure network connection for both parties.

The TLS record layer gets data from the user applications, encrypts it, fragments it to an appropriate size (as determined by the cipher), and sends it to the network transport layer.

TLS establishes an encrypted, bidirectional network tunnel for arbitrary data to travel between two hosts. TLS is most often used in conjunction with other Internet protocols such as HTTPS, SSH, FTPS, and secure email.

TLS/SSL consists of two layers within the application layer of the Internet Protocol Suite (TCP/IP).

In 1999, TLS replaced the older SSL protocol as the encryption most everyone uses. This change was made mostly to avoid legal issues with the Netscape company, which created SSL, so that the protocol could be developed as an open standard, free for all.

HTTP vs. HTTPS

HTTPS is the HTTP protocol embedded within the TLS protocol. HTTP takes care of all the web surfing mechanics, and TLS takes care of encrypting the data sent over the network and verifying the identity of the server host using a certificate.

More and more web servers are also going HTTPS-only, not just for security reasons, but for other practical arguments:

Some browser vendors now require HTTPS for certain browser features (e.g., geo-location). And Google and Firefox intend to phase out non-encrypted HTTP in their browsers. So, the browser community is pushing for HTTPS as the standard.

Users expect a trust- and safety-indicating URL bar (e.g., the padlock icon) without any security warnings, especially on eCommerce sites and other sites with privacy-sensitive data.

It may increase your search engine ranking, too, though this has yet to be confirmed by Google.

2. Differences Between the SSL, SSL v3, and TLS Protocols

Several versions of SSL and TLS have been released over the years:

1995: SSL v2 was the first public release of SSL by Netscape.

1996: SSL v3 was a new version that fixed several security design flaws of SSL v2. By 2004, v3 was considered insecure due to the POODLE attack.

1999: TLS v1.0 was released with an SSL fallback mechanism for backwards-compatibility.

2006: TLS v1.1

2008: TLS v1.2 is the current TLS standard and is used in most cases.

TLS v1.3 is currently still only a working draft specification.

Most applications, such as browsers, are compatible with some of the older SSL protocol versions, too, although SSL is slowly being phased out in favor of the better TLS security.

3. Pros and Cons

Benefits abound for those using encryption to protect their site’s (and customers’) sensitive data. This is especially true of eCommerce and healthcare-related sites.

Pros: SSL/TLS Security

Your site’s traffic benefits from TLS security in two ways:

Prevent intruders from tampering with the communication between your website and web browsers. Intruders can be malicious attackers or benign invaders like ISPs or hotels that inject ads into pages. Sensitive data, such as the user’s login credentials, credit card details, and email info, must never be revealed over the network.

Prevent intruders from passively listening to communications with your server. This is a somewhat elusive, but growing, security threat (also confirmed by the Snowden leaks).

The importance of these pros can’t be overstated — especially for eCommerce sites that depend on getting and retaining user trust for sales.

Cons: SSL/TLS “Handshake”

As great as it sounds, TLS has a few drawbacks:

TLS will add latency to your site’s traffic.

The handshake is resource-intensive. It uses asymmetric encryption to establish a session key, which then allows the client and server to switch to a faster symmetric encryption.

TLS will add complexity to your server management. You will need to get a certificate installed on your web server and maintain the validity of that certificate. Nowadays, there are automated tools for (domain-validated) certificate management.

MaxCDN found a 5ms latency when testing encrypted connections compared to unencrypted connections. Tests showed a peak increase in CPU usage of about 2% as well. However, “even with dozens of parallel requests and hundreds of sequential requests, CPU usage never exceeded 5%.”

As for the performance of the whole connection, MaxCDN concluded: “Encryption does add a step in the initial connection process. The overhead for ongoing connections is negligible when compared to unencrypted connections.”

With the upcoming HTTP/2 standard, setting up a TLS connection will be significantly faster, due to its parallel design (fewer network round trips required for data exchanges).

Additionally, although the HTTP/2 standard itself does not require the use of encryption, most client implementations (Firefox, Chrome, Safari, Opera, IE, Edge) have said they will only support HTTP/2 over TLS, which makes encryption de facto mandatory.

4. Types of TLS/SSL Certificates

As of late, the entire web seems to be trending toward HTTPS. Certificates can be requested from Certificate Authorities, of which there are many providers. Read up on the various certificate options available in our article on choosing an SSL certificate, or read on as we briefly cover the three main types below.

Extended Validation (EV)

EV certificates come with the green address bar — a recognized symbol of trust on the Internet. EV certificates are the premier TLS certificates. Sites for which security and consumer trust are essentials, such as large eCommerce sites, should seriously consider an EV cert.

Websites with EV certificates tout the green bar of trust in the browser address bar.

These certificates are, however, the most expensive because an extended organizational verification process is done based on these issuing criteria.

Organization Validation (OV)

OV certificates do not come with the green address bar but activate a number of browser trust indicators. An OV certificate requires a business be verified by the Certificate Authority. The organization’s name will be listed on the certificate, which reinforces the trust.

OVs are used by corporations, governments, and other entities that want to provide an extra layer of confidence to their visitors. OV certificates are especially important for eCommerce websites if an EV certificate is unattainable for whatever reason.

Domain Validation (DV)

DV certificates offer industry-standard encryption (at the same level as the other certificate types), but not much else. Aside from its low (or even free) cost, another benefit of a Domain Validated (DV) certificate is it can be issued in mere minutes because the Certificate Authority only has to validate that you own the domain you wish to secure — which is often an automated process.

5. Hosts With FREE SSL/TLS Certificates Included

In the past, getting a certificate was often complicated for website owners. Hosting providers spent inordinate amounts of time integrating different tools and administering manual processes into their businesses. And the cost of a certificate was sometimes a prohibitive factor for smaller and/or non-commercial web property owners.

In 2014, a group of companies and nonprofit organizations, including the Electronic Frontier Foundation, Mozilla, Cisco, and Akamai, announced Let’s Encrypt – a free, automated, and open Certificate Authority. This project has shown to be groundbreaking in terms of the number of Domain Validated certificates being used nowadays. Find more on their Automatic Certificate Management Environment (ACME) tools and how to get started here.

In 2016, Symantec started their Encryption Everywhere initiative aimed at ensuring every legitimate website is secure by 2018 using a hassle-free certificate process.

Symantec’s program helps web hosting partners offer basic encryption at no added cost to the hosting customer. Symantec provides basic certificates to hosts, who can, in turn, provide fully integrated SSL encryption to any new or renewing customer (through their cPanel interface).

Here are the top-recommended hosting providers with free SSL certificates:

BEST OVERALLRATING

DreamHost: Our Expert's Review

Setup time: 4 minutes

Laura Bernheim (HostingAdvice.com):
A top-notch host for those who know what they're looking for, DreamHost offers nuanced and performant hosting perfect for scaling websites and applications through the ranks of shared, VPS, cloud, and dedicated hosting.We love their features but realize that... Go to full review »

CHEAPRATING

iPage: Our Expert's Review

Setup time: 5 minutes

PJ Fancher (HostingAdvice.com):
Whether you're a first-time website owner or a web veteran, iPage’s excellent hosting services and fantastic list of extras make them one of the best values in web hosting.Unlimited disk space, bandwidth, and emails are just a part of what makes iPage’s... Go to full review »

CHEAPRATING

InMotion: Our Expert's Review

Setup time: 5 minutes

PJ Fancher (HostingAdvice.com):
InMotion offers an excellent business-class shared hosting plan. While carrying a higher price tag than other cheap hosts, it has a very nice list of features to help justify the extra cost. For the IT crowd in the audience, you’ll appreciate SSH access, as... Go to full review »

So, in these days of free certificates, lower-cost industrial-grade certificates, and much better certificate management tools, there are fewer arguments against using HTTPS as a site owner.

Begin Building Your SSL-Secured Site in Minutes

Now that you know what is required to secure your site using HTTPS, the TLS certificate options available, and the trust expectations of Internet users, you’re free to start implementing encryption best practices on your own site.

Head over to The SSL Store, an excellent partner in this somewhat bewildering world of web certificates and security acronyms. They will deliver friendly, security-qualified, and 24/7 customer support — not to be outdone by the best web hosts out there.

Questions or Comments? Ask Alexandra!

Ask a question and Alexandra will respond to you. We strive to provide the best advice on the net and we are here to help you in any way we can.

Was this helpful? Tell Us Thanks.

Like this article on Facebook

Tweet this article on Twitter

Share this article on Google+

About the Author

Alexandra Leslie

Alexandra Leslie’s interest in website administration was sparked in her teens, priming her for a fast-paced career in managing, building, and contributing to online brands, including HostingAdvice, Forbes, and the blogs of prominent hosting providers. She brings to the table firsthand experience in reviewing web hosts, perfecting website design, optimizing content, and walking site owners through the steps that add up to a successful online presence. Today, she combines her extensive writing experience with technical understanding to unpack some of the most complex topics that daunt novice website owners, as well as the subjects that excite veteran technologists within the HostingAdvice readership.

Disclaimer: Great efforts are made to maintain reliable data on all offers presented. However, this data is provided without warranty. Users should always check the offer provider’s official website for current terms and details. Our site receives compensation from many of the offers listed on the site. Along with key review factors, this compensation may impact how and where products appear across the site (including, for example, the order in which they appear). Our site does not include the entire universe of available offers. Editorial opinions expressed on the site are strictly our own and are not provided, endorsed, or approved by advertisers.